Frequently Asked Questions

1. What is "Trusted Code"?

The Trusted Code Initiative defines “Trusted Code” as open source software components, applications, development methods and practices that address the unique procurement, administrative and security requirements associated with Federal Government enterprise systems.

Trusted Code resources must meet the following criteria: 1) appropriately validated or affirmed by a government-sanctioned accreditation process; 2) deployed, or available for deployment, within a government technology system and affirmed by a government user or their designated representative; or, 3) or designated as “Trusted” by a government-sanctioned entity.

1.1) is appropriately validated or affirmed by a government-sanctioned accreditation process;

This includes all commercial and/or community-supported open source solutions that have achieved validation in accordance to policies such as the National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11; National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products is issued by the National Security Telecommunications and Information Systems Security Committee (NSTISSC).1

Commercially or community-supported open source software products that have obtained these validations will automatically be considered as “Trusted Code” and are not required to pass any additional requirements under the Trusted Code Initiative.

These software products or components are not required to be included in the Trusted Code repository, but can be linked to their existing hosting facility as long as the code is verified and its validation is current.

Examples of this would be Red Hat Enterprise Linux by Red Hat, SUSE Linux Enterprise Desktop by SUSE, or the FIPS 140-2 Validated OpenSSL Cryptographic Modules.

1.2) is deployed within a government technology system and affirmed by a government user or their designated representative;

This includes any open source software component, application or application suite that is currently deployed within a government technology system, with the caveat that at least one government agency or their designated representative much confirm and affirm the deployed solution.

This criteria is to demonstrate a viable solution and provide a reference point for other government agencies who might consider the solution as part of their system.

The affirming government entity is not required to host or maintain the Trusted Code, but must “vouch” for its usefulness and functionality. There is no liability or expectation assumed on the part of the “vouching” government entity or their representative.

An example of this is the Defense Information Systems Agency's (DISA) Open Source Corporate Management Information System (OSCMIS)(media article description). OSCMIS, an open source Federal workflow management application suite, was developed and is currently deployed within DISA and manages the agency's 16,000 combat support personnel worldwide. DISA makes a version of the OSCMIS suite available under an open source license, but does not provide support for instances outside of the agency's critical mission path.

1.3) is designated as “Trusted” by a government-sanctioned entity.

There are many open source software components that are available as viable alternative solutions to government agencies, but are not directly subject to existing accreditation policy regulations.

To consider these open source components, or applications, as “Trusted Code,” the Trusted Code Initiative will establish a criteria to define and designate such software assets as “Trusted.”

This process will be determined and governed by government, commercial and community representatives of the Trusted Code Foundation as the (to be established) appropriate organizational Board of Directors designate.

Additional questions to be addressed as the Trusted Code Initiative evolves:

2. What is the difference between Trusted Code and other open source software that is used within government systems?

3. How does a software component become "Trusted"?

4. Who regulates the definition and standard for "Trusted Code"?

5. Who can submit a component to become Trusted?

6. Who pays for Trusted Code?

7. Who can access Trusted Code?

8. Is Trusted Code secure?

9. What are the export (ITAR) issues regarding Trusted Code?

10. Who can service and support Trusted Code resources?

11. How and where are Trusted Code resources hosted and distributed? Who has access?

12. Which code scanning engines are used as part of the Trusted Code Analysis and Vulnerability Monitoring?

13. How often are Trusted Code assets scanned?

14. What is included in the Free and "for Fee" Vulnerability Report?

15. Who determines which Trusted Code resources are included in Information Assurance validation efforts?

16. Who can participate in the IA validation process? What does it cost? Who has access after the code is validated?

17. Which IA and SwA validations are included or considered?

18. Which Government Agencies are participating in the Trusted Code Initiative?

19. Who serves on the Trusted Code Foundation Board and other committees?

20. What are the qualifications or criteria required to participate in the Trusted Code Foundation?

21. Are Trusted Code resources 508 compliant?

22. What is the long-term strategy for the Trusted Code Initiative?

23. What are the reporting processes and policies for the Trusted Code Foundation?

24. What open source licenses are recognized or recommended by the Trusted Code Initiative?